1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal...
-
Upload
erica-watson -
Category
Documents
-
view
216 -
download
2
Transcript of 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal...
![Page 1: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/1.jpg)
1
![Page 2: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/2.jpg)
<Insert Picture Here>
Real-World Deployment and Best Practices with Oracle Advanced Security
Kurt Lysy, Principal Product Manager, Oracle Database SecurityMatthew Stewart, Director, Information Security, Robert Morris University
![Page 3: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/3.jpg)
3
<Insert Picture Here>
Program Agenda
• Oracle Defense-in-Depth Solutions• Oracle Advanced Security Overview• Robert Morris University Presentation• Q&A
![Page 4: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/4.jpg)
4
Oracle Database Security Defense-in-Depth
Access Control
• Oracle Database Vault
• Oracle Label Security
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Encryption and Masking
Auditing and Monitoring
• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall
• Oracle Database Firewall
Blocking and Logging
4
![Page 5: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/5.jpg)
5 5
Oracle Advanced SecurityTransparent Data Encryption (TDE)
DiskDisk
BackupsBackups
ExportsExports
Off-SiteFacilitiesOff-SiteFacilities
• Efficient encryption of all application data
• Built-in key lifecycle management
• No application changes required
• Works with Exadata V2
• Works with Oracle Advanced Compression
ApplicationApplication
![Page 6: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/6.jpg)
6 6
Oracle Advanced Security Key Features
NetworkEncryption
StrongAuthentication
RMAN / TDE Fully Encrypted Database
Backups to Disk
Hardware Security Module
Master Key
Oracle Wallet
Encrypted Exports
![Page 7: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/7.jpg)
7 7
Oracle Advanced Security Creating Encrypted Tablespaces
![Page 8: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/8.jpg)
8 8
Oracle Advanced Security Configuring TDE Column Encryption
![Page 9: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/9.jpg)
9
Robert Morris University Presentation
![Page 10: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/10.jpg)
About Robert Morris University
Pittsburgh 19215000 | 15:1Students from nearly
every state and 40 countries from Brazil to Vietnam.
93 percent of our graduates get jobs in their field within six months of graduation
D-1 SportsThe "Financier of the American Revolution." He isn’t as famous as his friend George Washington, but without Robert Morris, the American colonies’ bold attempt to throw off British rule never could have succeeded.
![Page 11: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/11.jpg)
IT Sec at RMU
The mission of RMU's Information Security team is to deliver an information security program that helps to safeguard the University's information and assets while maintaining an open educational environment that is compliant with regulatory standards.
To accomplish this mission, the Information Security team has many goals including assess current policies and procedures, develop new policies to protect University resources, assist in establishing and strengthening technical baselines to protect university technical assets, react to incidents that endanger the Institute's information, proactively assess and monitor for possible security weaknesses, and educate the University community about relevant security threats.
IT Team of 20
Security Team of 2 With a tight budget
![Page 12: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/12.jpg)
IT Sec at RMU
Many Responsibilities Including: Information Security
• Security Assessments• Intrusion Analysis• Secure Network Design• Incident Response• Firewall Architectures• Vulnerability Assessment• Training/Instruction• Policy Development• Records Retention• Change Management• Negotiations /Procurement• Computer Forensics• Data Loss Prevention• Encryption• Web Application Security• Database Security• Audit/Compliance• End Point Security• Patch Management• Network Access Control• Antivirus/Anti-Spyware• Content Management• SIEM
![Page 13: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/13.jpg)
Threats against RMU
Hackers
Insiders
Students
Malware
Phishing
Physical Theft
Access
Mistakes
Feb 2007 Ohio State University. Database compromise at least 14,000 staff data compromised. Another separate incident in Feb. had 3,500 students data compromised
Aug 2008 Laptop With Social Security Numbers Stolen From University of Pittsburgh
June 2010 a bot infection compromised 15,806 Social Security numbers, stored in a university database at Penn State University
![Page 14: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/14.jpg)
FederalFederal PA and OtherPA and Other
FERPAHIPAAGLBARed Flags
PA Breach and notification
Mass. Law Ch. 93HPCI Compliance NCAA
Government Regulations
![Page 15: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/15.jpg)
Where We Were
We were in pretty bad shape……Oracle 8.1Poor patch cyclesToo much access to way too many peopleNo web input sanitization
Very open…………Very Vulnerable
![Page 16: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/16.jpg)
Layered Security Approach
Layer #1 – Proactive Software Assurance Applications: Web/Database
Layer #2 - Blocking Attacks: Network-Based Firewalls, Email Filtering
Layer #3 - Blocking Attacks: Host-Based Antivirus, Secure Configurations
Layer #4 - Eliminating Security Vulnerabilities Scanning, Patch Management
Layer #5 - Safely Supporting Authorized Users Encryption , Data Leak Prevention
Layer #6 - Tools to Manage Security & Maximize Effectiveness Training, Organizational Memberships and Awareness
***Diversity is amongst ALL layers***
![Page 17: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/17.jpg)
Where We Are
Moving to Oracle Database 11g on 64-bit Enterprise Linux
Oracle Advanced SecurityPatch management processInput sanitizationReduced access…. Not perfect yet but good
progressWeb defenses
![Page 18: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/18.jpg)
Where We Are
Oracle Adv. Security provides us with Network Encryption
Encryption of data in motion
Transparent Data Encryption (TDE)
Encryption of data at rest Tablespace TDE
Strong authentication (certificate-based authentication)
![Page 19: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/19.jpg)
Where We Are
At-rest data encryption feature only in Oracle Database 11g
Based on block level encryption that encrypts on writes and decrypts on reads
Data is encrypted/decrypted at the I/O (block) level and not in memory (unlike TDE column encryption, which performs the encryption in the PGA of the server process)
Only encryption penalty is associated with I/O, so encryption performance overall is better than for TDE column encryption
SQL access paths are unchanged and all data types are supported (could be some I/O penalty assigned by the CBO, however)
![Page 20: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/20.jpg)
How Did We Get There?
Week 1, 2 days: SSCP kickoff meeting : Overview of network encryption and TDE Identified application data to be encrypted Ran healthcheck script in upgrade environment Create initial draft of TDE tablespace encryption functional use cases
Week 2, 2 days: Deployed TDE tablespace encryption in upgrade environment Performed use case testing of TDE tablespace encryption
Week 3, 4 days: Complete deployment of TDE tablespace encryption Deploy network encryption in upgrade environment Perform use case testing of network encryption Knowledge transfer sessions
![Page 21: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/21.jpg)
Performance Testing
The approach taken for each four test queries was to take event 10046 level 12 SQL traces within SQL Plus using the procedure DBMS_SYSTEM.SET_EV, followed by running each generated tracefile through TKPROF.
The level 12 SQL traces were performed in each of the three test configurations.
The applications team identified a set of five core test application queries that would be tested and performance compared across the configurations: student registration via
Patriot client checksheet batch
processing IRSE load processing nightly processing catalog course search
![Page 22: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/22.jpg)
Performance Testing Results (secs)
![Page 23: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/23.jpg)
Where We Are Going
![Page 24: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/24.jpg)
24 24
What is the Security Pack?
• A team of deployment security experts to assist customers with going live with our database security products• Products that we assist with:– Advanced Security, Database Vault, Audit Vault, Label
Security, Database Firewall
• Customer agrees to be a reference• Have your Oracle account rep nominate you for this
valuable program!
![Page 25: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/25.jpg)
25
More Oracle Database Security Presentations
• Monday: – 12:30 pm: Making a Business Case for Information Security MS 300– 3:30 pm: Oracle Database 11g Release 2 Security: Defense-in-Depth
MS 103
• Tuesday: – 12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault MS 104– 2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security MS 300 – 3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight MS 300– 5:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault
MS 303
• Wednesday: – 10:00 am: Protect Data and Save Money: Aberdeen MS 306– 11:30 am: Preventing Database Attacks With Oracle Database Firewall MS 306– 4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security MS 306
• Thursday: – 10:30 am: Deploying Oracle Database 11g Securely on Oracle Solaris
MS 104
MS = Moscone South
![Page 26: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/26.jpg)
26
Oracle Database Security Hands-on-Labs
• Monday: – Database Vault 11:00AM | Marriott Marquis, Salon 10 / 11 Check Availability – Database Vault 5:00PM | Marriott Marquis, Salon 10 / 11 Check Availability
• Tuesday:
– Database Security 11:00AM | Marriott Marquis, Salon 10 / 11 Check Availability
• Thursday– Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11 Check Availability– Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11 Check Availability
![Page 27: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/27.jpg)
27
Oracle Database Security Demo GroundsMoscone West
• Oracle Database Firewall• Oracle Database Vault• Oracle Label Security• Oracle Audit Vault• Oracle Advanced Security• Oracle Database 11g Release2 Security
Exhibition Hours
Monday, September 20 9:45 a.m. - 5:30 p.m.
Tuesday, September 21 9:45 a.m. - 5:30 p.m.
Wednesday, September 22 9:00 a.m. - 4:00 p.m.
![Page 28: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/28.jpg)
28 28
For More Information
oracle.com/database/security
search.oracle.com
database securitydatabase security
![Page 29: 1. Real-World Deployment and Best Practices with Oracle Advanced Security Kurt Lysy, Principal Product Manager, Oracle Database Security Matthew Stewart,](https://reader031.fdocuments.us/reader031/viewer/2022032523/56649d875503460f94a6c115/html5/thumbnails/29.jpg)
29 29
Q&A